b'     T         estimony\n\n                     STATEMENT OF\n                  ROBERT J. LIEBERMAN\n             ASSISTANT INSPECTOR GENERAL,\n                     FOR AUDITING,\n                DEPARTMENT OF DEFENSE\n                      BEFORE THE\n SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION\n                   AND TECHNOLOGY\n          COMMITTEE ON GOVERNMENT REFORM,\n        AND THE SUBCOMMITTEE ON TECHNOLOGY,\n                COMMITTEE ON SCIENCE,\n        UNITED STATES HOUSE OF REPRESENTATIVES\n       ON THE YEAR 2000 TECHNOLOGY CHALLENGE\n            AT THE DEPARTMENT OF DEFENSE\n\n\n\nReport Number 99-105        DELIVERED: March 2, 1999\n\n\n                Office of the Inspector General\n                    Department of Defense\n\x0c                                                                 2\n\n\nMr. Chairman, Madam Chair and Members of the Subcommittees:\n\n\n\nThank you for the opportunity to discuss the challenge\n\nconfronting the Department of Defense (DoD) because of the so-\n\ncalled Millenium Bug, which is the inability of many computers\n\nto process certain dates, especially those ending with the\n\ndigits \xe2\x80\x9c00.\xe2\x80\x9d    The Department\xe2\x80\x99s extensive dependence on computing\n\ntechnology for conducting both military operations and support\n\nfunctions makes any potentially widespread disruption or\n\ndegradation of system performance a major concern.   Therefore\n\nthe Secretary of Defense and Chairman, Joint Chiefs of Staff,\n\nhave appropriately termed the Millenium Bug a major threat to\n\nmilitary readiness.\n\n\n\nComplexity of the Challenge\n\n\n\nThe task of ensuring there is no significant impairment of the\n\nDepartment\xe2\x80\x99s ability to execute its missions and day to day\n\nfunctions is one of the most complex challenges ever faced by\n\nDoD managers.    This is primarily because of the sheer magnitude\n\nof the problem.    Consider that:\n\n\n\n     n   The DoD uses about 28,000 information systems, of which\n\n         approximately 2,300 are mission critical.\n\x0c                                                            3\n\n\n\n\nn   About 1.5 million DoD computers exchange data with\n\n    organizations as diverse as other DoD components,\n\n    allies, coalition partners, defense contractors,\n\n    financial institutions, the National Command Authority,\n\n    other Federal agencies, and state governments;\n\n\n\nn   Hundreds of thousands of pieces of equipment, ranging\n\n    from the largest weapon systems to hand held\n\n    electronics, contain tens of millions of microprocessor\n\n    chips, some of which are date sensitive;\n\n\n\nn   The cost of the DoD year 2000 conversion effort is\n\n    estimated at $2.9 billion;\n\n\n\nn   The Department depends on hundreds of governments and\n\n    firms, domestically and abroad, to provide utilities\n\n    such as power, telecommunication links and water to over\n\n    500 major military bases, many of which have populations\n\n    equivalent to small cities;\n\n\n\nn   When U.S. forces deploy, they depend on allies and host\n\n    nations for a wide range of additional logistical\n\x0c                                                                 4\n\n\n         support services, as specified in thousands of\n\n         agreements with dozens of governments; and\n\n\n\n     n   The DoD purchases goods and services other than\n\n         utilities, often electronically, from tens of thousands\n\n         of contractors, 6,500 of which are considered critical\n\n         suppliers.\n\n\n\nIn addition, the DoD year 2000 conversion challenge has been\n\nmade considerably more difficult by a combination of factors\n\nrelated to management culture.   Those factors included:\n\n\n\n     n   A legacy of very decentralized information technology\n\n         resources management, which led to a runaway\n\n         proliferation of systems that was only recently\n\n         addressed;\n\n\n\n     n   Inadequate management visibility initially into what\n\n         comprised the systems inventory, which systems were\n\n         mission critical and what the interfaces were;\n\n\n\n     n   Lax configuration management policies;\n\x0c                                                                5\n\n\n     n   An initial tendency to view the Millenium Bug as a\n\n         purely technical problem that could be solved by the\n\n         information technologists, without a need for much\n\n         involvement by managers and commanders;\n\n\n\n     n   Chronically poor documentation of systems and software\n\n         modifications, so that much old, date sensitive computer\n\n         code is hidden beneath newer code; and\n\n\n\n     n   Resistance to reprioritizing resources to deal with the\n\n         year 2000 problem early, especially if diverting\n\n         resources would slow down other initiatives.\n\n\n\nAudit and Inspection Community Role\n\n\n\nThe IG approached the Department\xe2\x80\x99s Chief Information Officer in\n\nearly 1997 with an offer to help him achieve sufficient\n\noversight and management control in those areas considered to\n\nhave the most risk.   The Chief Information Officer was very\n\nreceptive to the concept of relying extensively on DoD internal\n\naudit capabilities to assure management awareness, validate\n\nreported progress and identify inadequately addressed barriers\n\nto mission continuity.   Based on that informal partnership\n\nagreement, we have provided 50 \xe2\x80\x9cY2K\xe2\x80\x9d audit reports to the\n\x0c                                                                  6\n\n\nDepartment over the past year and a half, and are currently\n\nworking on about the same number of additional audits.    Coverage\n\nof Y2K conversion issues has been our top discretionary audit\n\npriority in fiscal years 1998 and 1999.    In addition, we have\n\ncoordinated Y2K efforts by the Military Department audit and\n\ninspection organizations, which have issued numerous reports in\n\naccordance with their own Y2K coverage agreements or taskings\n\nwithin their Services.   We have also worked closely with the\n\nGeneral Accounting Office and exchanged information with our\n\ncounterparts in several countries.\n\n\n\nGenerally, DoD managers and commanders have been extremely\n\ncooperative and responsive to audit advice.    To ensure that\n\nsenior officials are aware of our audit results and so that we\n\ncan effectively focus on high risk areas, we participate in\n\nOffice of the Secretary of Defense and Joint Staff Y2K\n\nmanagement conferences, workshops and planning sessions.    I meet\n\npersonally with senior Chief Information Officer aides at least\n\ntwice a month and attend the Deputy Secretary of Defense Year\n\n2000 Steering Group monthly briefings.    Virtually all audit\n\nfindings and recommendations have resulted in prompt corrective\n\naction, which is often initiated by management while the\n\nauditors are still on site and before a formal report is even\n\nissued.   In addition, when Deputy Secretary Hamre was apprised\n\x0c                                                                 7\n\n\nof repeated audit findings regarding inaccurate reporting of Y2K\n\nprogress, he promptly convened a special session of senior DoD\n\nofficials to hear our results and reemphasized the need to be\n\nresponsive to audit recommendations to improve the quality of\n\nreporting.   Top DoD management\xe2\x80\x99s encouragement of intensive\n\nauditing of Y2K progress and its responsiveness to audit\n\nresults, positive or negative, have been both gratifying and\n\nchallenging to the audit community.\n\n\n\nExamples of our Y2K audit reports are summarized in the\n\nattachment to this statement.\n\n\n\nSlow Start, But Likely a Strong Finish\n\n\n\nAs reflected in the rather low grades that Chairman Horn gave to\n\nDoD Y2K performance initially, the Department got off to a slow\n\nstart.   In hindsight, most managers underestimated both the\n\ncomplexity of the problem and the commitment of resources and\n\nexecutive managers\xe2\x80\x99 time that would be necessary.   As late as\n\nlast summer, audits were indicating a widespread lack of\n\nawareness; insufficient Y2K staffing at all levels of the\n\nDepartment; and only rudimentary Y2K planning at dozens of\n\ncrucial organizations, including most combatant commands, most\n\x0c                                                               8\n\n\nfunctional area staffs within the Office of the Secretary of\n\nDefense, many support commands and most installations.    Although\n\nmany DoD organizations were working hard on the remediation of\n\nmission critical information systems, a high percentage of\n\nremediation plans provided for completion very late in calendar\n\nyear 1999 and large scale \xe2\x80\x9csystem of systems\xe2\x80\x9d test plans were in\n\nvague conceptual form only.   There was even some resistance to\n\nthe notion of modifying previously planned exercises to\n\naccommodate Y2K scenarios or to plan for other large scale\n\ntesting.\n\n\n\nA decisive turning point came in early August 1998, when the\n\nSecretary of Defense declared that the Department\xe2\x80\x99s progress up\n\nto that point had been insufficient.   Both the Secretary and the\n\nDeputy Secretary prescribed a number of measures during that\n\ntimeframe to accelerate the Department\xe2\x80\x99s effort and to move\n\naccountability for Y2K success beyond the boundaries of the\n\ninformation technology community to all senior managers and\n\ncommanders.   The strong and unambiguous message that Y2K was a\n\ngenuine threat to readiness, which needed to be treated as such\n\nby the leaders of the operating forces and the acquisition,\n\nlogistics, finance and other support communities, had the\n\nintended effect.\n\x0c                                                                9\n\n\n\n\nThe number of mission critical systems that have been certified\n\nas Y2K compliant has grown as follows:\n\n\n\n          February 1998:         706     (24%)\n\n          May 1998      :        812     (29%)\n\n          August 1998   :      1,236     (39%)\n\n          November 1998:       1,352     (52%)\n\n          February 1999:       1,670     (72%)\n\n\n\nEqually important, efforts have greatly accelerated over the\n\npast few months to assess the Y2K readiness of DoD-owned,\n\ninfrastructure; of the private sector infrastructure on which\n\nDoD also depends; of the diverse range of data exchange partners\n\nand of host nations abroad.   In addition, one of the largest\n\ntesting efforts ever undertaken by the Department has now\n\nstarted and will continue through calendar year 1999.\n\n\n\nInspector General, DoD, Assessments\n\n\n\nIn the Inspector General, DoD, semiannual report to the Congress\n\nfor the six month period ending September 30, 1998, and again in\n\na December 1998 summary report on 142 audit and inspection\n\x0c                                                               10\n\n\nreports issued between August 1997 and early December 1998, we\n\nconcluded that the Secretary of Defense assessment that progress\n\nhad been insufficient as of August 1998 had been well founded.\n\nWe also took note of the increased emphasis and progress by the\n\nDepartment over the last few months of 1998.\n\n\n\nWe will be issuing another summary report this month.    It will\n\nreflect the results of audits and inspections conducted in late\n\n1998 and early 1999.   The results are generally much more\n\npositive than those from last year and are another indicator\n\nthat the pace and effectiveness of the DoD Y2K program have\n\nimproved significantly.   With sustained close management\n\nattention through 1999, we are confident that the Department can\n\nachieve its goal of ensuring the continuity of critical\n\noperations and capabilities as the millenium passes.    However,\n\nmuch work remains to be done.   No assessments of overall\n\nprogress can be entirely credible in the absence of significant\n\nquantities of test results, which will not be available for a\n\nfew more months, and the belated start in some areas has caused\n\na fairly high risk level to persist there.\n\n\n\nThose areas of continuing concern include:\n\x0c                                                               11\n\n\n     n    Well over 600 mission-critical systems that remain Y2K\n\n          non-compliant;\n\n\n\n     n    infrastructure, especially overseas;\n\n\n\n     n    supplier readiness;\n\n\n\n     n    untested contractor off the shelf products;\n\n\n\n     n    contingency planning;\n\n\n\n     n    mainframe computer platforms; and\n\n\n\n     n    greatly compressed testing schedules.\n\n\n\nTesting\n\n\n\nThe continuing concern that I would like to focus on today\n\nrelates to the testing challenge.   The DoD Y2K conversion effort\n\nis unprecedented in many ways, one of which is the scope of the\n\ncrucial Y2K testing that will continue through the end of 1999.\n\nIn addition to the individual system/application testing that is\n\nperformed before a system is certified as Y2K compliant, the\n\x0c                                                                12\n\n\nvarious DoD components are engaged in three kinds of \xe2\x80\x9chigher\n\nlevel\xe2\x80\x9d testing:\n\n\n\n     n   Intersystem integration testing at the Military Service\n\n         or lower organizational levels, either as special Y2K\n\n         tests or as part of routinely performed activity such as\n\n         Navy battlegroup system integration tests.\n\n\n\n     n   More than 76 end-to-end system test events, covering 93\n\n         processes in functional areas such as finance or command\n\n         and control, and involving over 600 mission critical\n\n         systems;\n\n\n\n     n   Approximately 31 operational evaluations by the unified\n\n         commands around the world.\n\n\n\nWe cannot over emphasize the need for robust in-depth testing.\n\nThe sheer number of systems involved, the risk of incompatible\n\nY2K fixes because of the number of different firms and\n\nindividuals involved in remediating code, and the compression of\n\nthis ambitious testing schedule into just over a year pose a\n\nformidable management challenge.   In our view, it is the most\n\ndaunting of the remaining Y2K challenges.   A significant portion\n\nof our auditing emphasis will be directed to this area.\n\x0c                                                                13\n\n\n\n\nWe will be looking for indicators of good test planning, such as\n\ndetailed written test plans; management controls to ensure\n\nappropriate oversight of both the test plans and the reporting\n\nof test results; and provision for sufficient technical support\n\nbefore, during, and after the test.   We fully anticipate that\n\nnumerous previously undetected and perhaps unanticipated\n\n\xe2\x80\x9cglitches\xe2\x80\x9d will surface during each of the various types of\n\ntests.   If not, the rigor of the tests-\xe2\x80\x94and their credibility-\xe2\x80\x94\n\nmay be called into question.   This is a significant mindset\n\nchange for many managers and commanders, who by habit and\n\ntraining may tend to seek perfect scores.   Identifying computer\n\ncode that is still not fixed is a victory, not a defeat, for the\n\ntesting process.\n\n\n\nIt is also important that managers be encouraged to seek out the\n\nmost effective available Y2K diagnostic tools and not hesitate\n\nto test or retest their code, whether or not their systems are\n\nmission-critical or are included in multi-system testing.      More\n\nand more powerful tools are entering the market place and can\n\nprovide extra assurance.\n\x0c                                                             14\n\n\nConclusion\n\n\n\nIn conclusion, we believe that the DoD is overcoming the\n\nincreased risk posed by its belated start on several facets of\n\nthe Y2K conversion effort.   As the intensive effort continues,\n\nwe remain committed to our partnership with the Department on\n\nthis difficult matter and will continue striving to provide DoD,\n\nthe President\xe2\x80\x99s Council on Y2K Conversion, the Office of\n\nManagement and Budget, and Congress with reliable, candid and\n\ntimely feedback on Y2K progress.\n\n\n\n\nAttachment\n\x0c               Examples of Year 2000 Audit Results\n                 Office of Inspector General, DoD\n\n\nReport No. 99-086, Year 2000 Issues Within the U.S. Pacific\nCommand\xe2\x80\x99s Area of Responsibility: III Marine Expeditionary\nForce, February 22, 1999. This was a good news report. The\nIII Marine Expeditionary Force had taken a proactive approach to\nensuring that its information systems will be compliant in the\nyear 2000. The III Marine Expeditionary Force had made progress\nwith actions to assess system compliance, implement corrective\nactions, and accurately report status issues for potential year\n2000-related failures. When the III MEF year 2000 conversion\neffort is completed, including participation in further testing\nand operational evaluation, the risk of mission capability\nimpairment because of year 2000 problems should be low.\n\nReport No. 99-081, Tooele Chemical Agent Disposal Facility\nPreparation for Year 2000, February 16, 1999. The Tooele\nChemical Agent Disposal Facility was considerably behind Army\nand DoD schedules for assessing year 2000 vulnerability and\ncarrying out conversion measures. In addition, Tooele Chemical\nAgent Disposal Facility had not prepared the required year 2000\ndocumentation, which are the assessment plan, the contingency\nplan, the risk management plan, and the validation plan and\nschedule. During the audit, reporting errors were corrected\nand Army management emphasis increased; however, estimated\ncompletion dates for the conversion extended well into calendar\nyear 1999. Successful completion of all year 2000 conversion\nmeasures is necessary to avoid operational impairment and\nobviate any safety concerns. The Army agreed and aggressive\nmeasures are being taken to accelerate the conversion effort.\n\nReport No. 99-079, Year 2000 Conversion Program at the Dugway\nProving Ground Major Range and Test Facility, February 9, 1999.\nA good news report. The renovation of both business and test\nsystems was being effectively managed. Dugway Proving Ground\nidentified seven systems for assessment, developed contingency\nplans, tested all systems and maintained all the necessary\ndocumentation. The range met the Army\xe2\x80\x99s deadline of completing\nthe renovation phase by September 1998. Six of the seven\nsystems completed the implementation phase by December 31, 1998.\nThe meteorology system completed the implementation phase in\nFebruary 1999.\n\nReport No. 99-076, Year 2000 Posture of DoD Mid-Tier Computer\nSystems, February 3, 1999. Good news report. Managers of the\n14 mid-tier systems reviewed in the audit were actively managing\neach primary element to achieve year 2000 compliance, and they\nappropriately reported the year 2000 status of each mission-\ncritical computer system. The major reason that mid-tier\nsystems were appropriately managed and reported was because\nthe primary elements of each system were the responsibility of\na single manager. Additionally, Army and Air Force year 2000\n\x0c                                                             2\n\nreporting guidance specifically requires that Service\nsub-components track and report each primary element of\ncomputer systems. Further, some program managers prudently\nwent beyond existing formal requirements to employ further risk-\nreduction tactics, such as testing vendor-validated products.\nAccordingly, for the mid-tier systems reviewed, we judged that\nthe risk of system failure at the turn of the century because\nof a primary element being overlooked was low.\n\nReport No. 99-063, Global Positioning System Receiver Compliance\nwith Year 2000 Requirements, December 31, 1998. The Global\nPositioning System (GPS) is a worldwide, satellite-based radio\nnavigation system developed by DoD. The system is able to show\na user\xe2\x80\x99s position on or above the earth with great precision,\nregardless of weather conditions. Dates and times are important\nto GPS receivers. The receivers determine a position by\ncomparing the time generated by an internal clock to the times\nreceived from the fleet of GPS satellites. The difference\nbetween the times is used by the receiver to compute its\ndistance from the satellite and hence compute its location.\n\nIn February 1998, the Assistant Deputy Under Secretary of\nDefense (Space Systems and Architectures) issued a memorandum,\n\xe2\x80\x9cGlobal Positioning System Year 2000 Compliance,\xe2\x80\x9d tasking the\nGPS Joint Program Office to assess the Y2K compliance status of\nall DoD GPS receivers. The Assistant Deputy Under Secretary\nalso directed organizations that have procured non-validated\nreceivers from sources other than the program office to provide\nthe program office with the Year 2000 compliance status of those\nreceivers by April 30, 1998.\n\nThe audit indicated that the GPS Joint Program Office had not\ncompleted the inventory and Year 2000 assessment of non-\nvalidated GPS receivers procured directly by DoD organizations,\ncivilian Federal agencies, Defense contractors, and allied\nnations. The delay was primarily caused by lack of cooperation\nby many of those organizations. In addition, DoD had not done\nenough to mitigate risk by testing commercial receivers. As a\nresult, systematic distribution of reliable information on Y2K\ncompliance of the equipment to users has been hampered,\nincreasing the risk of mission disruption.\n\nAfter expressing some initial concern about the need for testing\ncommercial receivers, management agreed with the report and is\ntaking action.\n\nReport No. 99-059, Summary of DoD Year 2000 Conversion\xe2\x80\x94Audit and\nInspection Results, December 24, 1998. This report summarized\nY2K issues identified in 142 General Accounting Office;\nInspector General, DoD; Army; Navy; and Air Force Audit reports\nfrom August 1997 to December 1998. It also included information\nreported by the Inspector General, Navy, and the Inspector\nGeneral, Marine Corps. The Inspector General, Army, and the\nInspector General, Air Force, had not yet reported on Y2K.\n\x0c                                                             3\n\n\nYear 2000 conversion problems were identified within the\nfollowing areas:\n\n     \xe2\x80\xa2    management oversight and awareness (95 reports),\n     \xe2\x80\xa2    reporting (79 reports),\n     \xe2\x80\xa2    assessment (97 reports),\n     \xe2\x80\xa2    resource requirements estimation (48 reports),\n     \xe2\x80\xa2    interface identification and agreements (74 reports),\n     \xe2\x80\xa2    prioritization (14 reports),\n     \xe2\x80\xa2    testing (83 reports),\n     \xe2\x80\xa2    contingency and continuity-of-operations planning\n             (104 reports),\n     \xe2\x80\xa2    contracts (21 reports), and\n     \xe2\x80\xa2    infrastructure (44 reports).\n\nThe results supported the DoD acknowledgements that the year\n2000 conversion poses a high risk for a very wide range of DoD\nfunctions and organizations and that the conversion progress\nas of late FY 1998 had been insufficient. These results were\nbriefed to the Deputy Secretary of Defense and DoD Y2K Steering\nGroup in early December 1998.\n\nReport No. 99-058, \xe2\x80\x9cYear 2000 Conversion of Defense Critical\nSuppliers,\xe2\x80\x9d December 18, 1998. Until late FY 1998, outreach\nefforts to suppliers of National Defense goods and services\nwere left to individual DoD components to organize, execute\nand monitor. As a result, the emphasis put on outreach to\nsuppliers varied greatly among DoD acquisition and logistics\norganizations. Many organizations had no organized outreach\neffort. DoD faced an increased risk of production and delivery\ndisruptions because of the belated outreach focus to ensure\nsuppliers\xe2\x80\x99 Y2K conversion. If commercial suppliers of critical\nsupplies experience disruptions as a result of computer\nfailures, the logistics pipeline may be compromised.\n\nDuring the audit, we worked with management to accelerate\nefforts in this area. The DoD established a Joint Supplier\nCapability Working Group. By October 1998, this team had\nestablished the methodology for identifying critical items and\ntheir suppliers, as well as a reasonable action plan for\nassessing critical suppliers\xe2\x80\x99 year 2000 compliance. A survey of\n6,500 critical suppliers began in February 1999. The Defense\nLogistics Agency\xe2\x80\x99s Defense Contract Management Command will\nconduct most of the survey. The IG, DoD, is monitoring the\neffort and providing particular assistance to Defense supply\ncenters.\n\nReport No. 99-027, DoD Base Communications Systems Compliance\nwith Year 2000 Requirements, October 30, 1998. The audit\nindicated 131 non-compliant telecommunication switches would not\nbe replaced or made compliant by the March 31, 1999 deadline\nestablished by the Office of Management and Budget. This high\nrisk developed because of inefficient identification of the\n\x0c                                                             4\n\nswitch inventory, insufficiently high priority given to these\ncritical items, and funding problems. Management agreed and\nadditional emphasis was put on switch replacement or\nremediation. The IG, DoD, is tracking progress on each switch\nin every DoD component organization.\n\nReport No. 99-022, Year 2000 Conversion at the Army Major Range\nand Test Facilities, October 29, 1998. The three Army major\nrange and test facilities visited, the Aberdeen Proving Ground,\nthe White Sands Missile Range, and the Yuma Proving Ground, were\non schedule. All required documentation and certification forms\nfor the compliant systems were completed as required by the Army\nAction Plan and the DoD Management Plan.\n\nReport No. 98-207, Year 2000 Contract Language for Weapon\nSystems, September 22, 1998. Of 16 weapon systems reviewed, 9\nweapon systems had contracts that did not contain language from\nFederal Acquisition Regulation 39.106, \xe2\x80\x9cYear 2000 Compliance.\xe2\x80\x9d\nIn July 1998, when the initial audit results were briefed, the\nUnder Secretary of Defense for Acquisition and Technology had\nnot yet issued Y2K guidance for weapon systems. On August 7,\n1998, the Secretary of Defense directed the Services and Defense\nagencies to report on each major acquisition system under their\npurview. Each report was to address areas of Y2K compliance or\nnoncompliance for each system. The Secretary of Defense also\ndirected that funds not be obligated for any contract for\ninformation technology or national security systems that process\ndate-related information, if that contract did not contain Y2K\nrequirements specified in the Federal Acquisition Regulation.\nDuring the audits, the program management offices took action\nto ensure that the contracts and solicitations for the nine\ndeficient weapon system programs would include Y2K compliance\nlanguage.\n\nReport No. 98-193, Evaluation of the Defense Megacenters Year\n2000 Program, August 25, 1998. Although much progress had been\nmade in converting the Defense Megacenters systems and platforms\nto Y2K compliance, problems remained in three areas: reporting,\ntesting, and contingency planning.\n\nThe Defense Information Systems Agency Western Hemisphere Y2K\nstatus reports for mainframe executive operating software were\nincomplete and could be misinterpreted. The reports showed that\nthe executive software product inventory was 60 percent\ncompliant, but did not show that the domain compliance itself\nwas zero percent. The Defense Information Systems Agency\nWestern Hemisphere and the Central Design Activities, which are\npart of the Military Departments and Defense agencies, had joint\nresponsibility for fixing segments of the domains. However,\ncoordination needed improvement.\n\nOn July 2, 1998, the Deputy Secretary of Defense directed\nwritten agreements between the Defense Information Systems\nAgency and domain users. In addition, the Office of the\n\x0c                                                               5\n\nAssistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) coordinated a Secretary of\nDefense memorandum that stated funds were not to be obligated\nfor any domain user that failed to sign explicit test agreements\nwith the Defense Information Systems Agency by October 1, 1998.\nThe memorandum, dated August 7, 1998, also states that the\nDefense Information Systems Agency was to provide a report to\nthe Office of the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) by October 15, 1998,\nlisting all domain users that failed to sign test agreements\nwith the Defense Information Systems Agency by October 1, 1998.\nFinally, the Office of the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence) stated that\nit would request that the Y2K compliance reports from the\nDefense Information Systems Agency include items that would\nidentify domains, mission-critical systems, or national security\nsystems that had a high risk of Y2K noncompliance.\n\nThe IG, DoD, is continuing to monitor the year 2000 conversion\nefforts at the Defense Megacenters.\n\nReport No. 98-147, Year 2000 Certification of Mission-Critical\nDoD Information Technology Systems, June 5, 1998. The audit\nindicated that DoD components certified only 109 (25.3 percent)\nof the 430 systems reported as Y2K compliant in November 1997.\nSystems were not certified because DoD components did not\nadequately implement and enforce the guidance in the DoD\nManagement Plan or their own Y2K guidance. Additionally, the\ninitial DoD Management Plan was not clear as to specific Y2K\ncertification requirements.\n\nThe Office of the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) concurred with our\nrecommendations and instituted several measures, including the\nfollowing:\n\n     \xe2\x80\xa2    requiring that all mission-critical systems have\n          independent tests and operational contingency plans,\n\n     \xe2\x80\xa2    updating the DoD Management Plan in June 1998 with\n          better guidance on certification and testing, and\n\n     \xe2\x80\xa2    developing a new Y2K database that would include the\n          target date to complete each phase of Y2K remediation\n          for each mission-critical system.\n\nReport No. 98-065, DoD Information Technology Solicitations and\nContract Compliance for Year 2000 Requirements, February 6,\n1998. The DoD initiated actions to address the new procurement\naspects of the Year 2000 issue in mid-1996 in an Assistant\nSecretary of Defense (Command, Control, Communications, and\nIntelligence) memorandum, \xe2\x80\x9cYear 2000 Computing Problem with\nPersonal Computers and Workstations,\xe2\x80\x9d May 8, 1996. Federal\nAcquisition Regulation section 39.106, \xe2\x80\x9cYear 2000 Compliance,\xe2\x80\x9d\n\x0c                                                             6\n\nsubsequently provided mandatory guidance to assist agencies in\nacquiring only those information technology products and systems\nthat are Year 2000 compliant.\n\nThe audit indicated that initial DoD compliance with the\nrequirements was poor. Twenty of the major 35 indefinite-\ndelivery/indefinite-quantity and indefinite-deliver-requirement\ninformation technology contracts (for commercial off-the shelf\nproducts) that were audited did not have the required Federal\nAcquisition Regulation Year 2000 compliance language. None of\nthe 35 contracts required testing of purchased products. As\na result, DoD had no assurance that information technology\nproducts purchased were year 2000 compliant. Additionally,\nbecause 33 of the 35 contracts were available for use by other\nFederal agencies, nonconforming contract deliverables could\nnegatively affect non-DoD systems.\n\nBased on initial audit results, DoD issued stronger guidance on\nDecember 18, 1997, before our final report was issued.\nSubsequently, the DoD components reported that the 20 deficient\ncontracts had been modified. Guidance on testing was also\nimproved. Proper use of Y2K contract clauses is now routinely\nchecked in most Y2K audits; some isolated instances of continued\nnon-compliance have been reported and corrected.\n\x0c'